The SIGMA Family of Key-Exchange Protocols

by Hugo Krawczyk

Summary:
SIGMA is a family of cryptographic key-exchange protocols that provide
perfect forward secrecy via a Diffie-Hellman exchange authenticated
with digital signatures. SIGMA is designed to support a variety of
features and trade-offs required in common practical scenarios
(such as identity protection and reduced number of protocol rounds)
as well as to enjoy sound cryptographic security. This design puts
forth the "SIGn-and-MAc" (SIGMA, for short) approach that carefully
combines the use of digital signatures and MAC functions to guarantee
an authenticated binding between the Diffie-Hellman key and the identities
of the parties to the exchange.
This simple approach resolves
security shortcomings found in previous protocols.
The SIGMA protocols serve as the cryptographic basis
for the signature-based modes of the standardized Internet Key Exchange (IKE)
protocol, and its current revision IKE version 2.

History and Applications:
SIGMA was first designed in 1995 and suggested by the author to the IPsec
working group as a replacement to Photuris, an STS-based Diffie-Hellman
exchange used at the time in the IPsec protocols,
which suffered from some significant security flaws (see the
IPsec mailing list, April-October 1995).
SIGMA was eventually adopted into
IKE,
the successor of Photuris, which became the standard key exchange protocol
for sharing keys between IPsec peers.
IKE uses two variants of SIGMA in its "authentication with signature" modes
(main and aggressive modes).
In the last year, there was renewed interest in these protocols because
of the plans to create a version 2 for IKE.
Several proposals for this revision used SIGMA as their core cryptographic
key-exchange, including the official WG document named
IKEv2 and the
JFKr
protocol.
Beyond these existing applications, SIGMA is very well suited
(and well analyzed) for other applications that require an authenticated
Diffie-Hellman exchange, especially when identity protection is sought or
when the identity of the peer is not uniquely specified from the start of
the protocol.

Papers:
A paper presenting SIGMA and its cryptographic rationale is available
( abstract,
postscript,
pdf);
a shorter version has been contributed to the proceedings
of Crypto'03 (LNCS Series, Vol. 2729).
The paper is intended to introduce the SIGMA protocols (and its IKE's
applications) to a broad audience of protocol designers and security
engineers, and emphasizes many subtleties surrounding the design
of secure key-exchange protocols in general, and identity-protecting
protocols in particular.
The paper also points out to the strengths and weaknesses of previous protocols
(such as STS, Photuris, and ISO) that motivated the design of SIGMA.
Click here for a PowerPoint
presentation about SIGMA
from the invited talk at Crypto'03
(it also includes a succint introduction to IPSec and IKE).
A formal analysis of the SIGMA protocol (and its IKE applications)
in a complexity-theoretic setting
appears in a
companion paper
(co-authored with Ran Canetti) presented at Crypto'02.